https://bugzilla.redhat.com/show_bug.cgi?id=1969450 Ben Beasley <code@xxxxxxxxxxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |code@xxxxxxxxxxxxxxxxxx --- Comment #5 from Ben Beasley <code@xxxxxxxxxxxxxxxxxx> --- > As Katerina already mentioned, we don't do that in any other cockpit package which is in Fedora, so doing that will take quite some time. But honestly it doesn't buy anyone anything, other than just a whole lot of busywork, and adding 350 MB of node_modules/ to an otherwise 1 MB tarball. Rebuilding the webpack from a static node_modules/ copy is completely reproducible, so taking the already built one is a *lot* more efficient, plus avoids transitive licensing/source code problems with "we have to redistribute 735 npmjs.com modules now" (as they are *also* prebuilt and not in preferred form of modification). > > A developer who wants to change something can just do that and run `make`, which will download everything according to package-lock.json. The original tarball *does* ship the source, it just ships the pre-built webpack in addition. > > I know that this situation sucks for distributions, that's just how the JS world looks like these days :-( Agreed that everything about this sucks—but https://docs.fedoraproject.org/en-US/packaging-guidelines/JavaScript/#_compilationminification is extremely clear: > Shipping pre-minified or pre-compiled code is unacceptable in Fedora. There’s a corresponding rule for compiled CSS, too: https://docs.fedoraproject.org/en-US/packaging-guidelines/Web_Assets/#_css If this means it is impractical or impossible to package some software that is considered essential, then FESCo may need to revisit the rules, or approve an exception. > [If you mean the node_modules dependencies: No, we can't. `npm install`/npmjs.com packages/releases are also pre-built, and thus minified. Building *everything* from source would mean to track down several hundred projects from their upstreams, and building them first (and there is no automation that applies to all of them). This is completely impractical, but also I don't believe you actually meant that, as nothing in a distro gets built like that.] For better or worse, every NodeJS-based package that complies with the current guidelines is built very much as Robert suggests, with the help of a standardized bundler script (https://docs.fedoraproject.org/en-US/packaging-guidelines/Node.js/). Consider https://src.fedoraproject.org/rpms/fx, which has 13 NPM packages in its installed “production” bundle but has over 400 more in the “dev” bundle so it can run its tests. You’re right that in some cases the NPM dependencies could contain pre-minified web assets. This is hard to audit for, and probably often flies under the radar, but in principle I think this would also be a problem under current guidelines. Note that the NodeJS guidelines do encourage using NPM tarballs in general (https://docs.fedoraproject.org/en-US/packaging-guidelines/Node.js/#_using_tarballs_from_the_npm_registry). My understanding (from a combination of https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packaged/#_pregenerated_code plus the more-specific rules for JS and CSS) is that you do have to include all of your own sources for the generated web assets in the “binary” RPM, but you do not have to install a copy of the build pipeline. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
